Another in the series of bitesize blog posts about features in MQ V8. Check out the whole series here.
If you want to make use of the new User ID and Password Authentication feature in MQ V8 and not all of your client applications send a user ID or password there is a new security exit shipped with MQ V8 called mqccred that you can use. mqccred provides a user ID and password to a client application that is then sent to MQ and, if configured, authenticated.
Everything you need can be found in <<installation directory>>\Tools\c\Samples\mqccred\ on Windows and <<installation directory>>/samp/mqccred on Unix.
Setting up the user IDs and passwords
The mqccred.ini file contains your user ID and password information. By default it is expected that this file is located in $HOME/.mqs/mqccred.ini. If you would like to locate it elsewhere you can use the environment variable MQCCRED to point at it:
You can provide a user ID and password for all queue managers or for each individual queue manger. This is an example of an mqccred.ini file:
AllQueueManagers: User=user1 Password=passw0rd QueueManager: Name=QMA User=user2 Password=passw0rd2
The individual queue manager definitions take precedence over the global setting. For a queue manager you can also override a user ID and password that is explicitly supplied by an application by using the Force=TRUE attribute. The default for all queue managers is FALSE.
QueueManager: Name=QMB User=user3 Password=passw0rd3 Force=TRUE
Protecting the mqccred.ini file
Since this file contains password information it should be protected. First you should restrict user access by removing all unnecessary permissions. Next, you can use the runmqccred program to obfuscate the passwords. This will remove the plaintext password attributes and replace them with the OPW attribute.
QueueManager: Name=QMA User=user2 OPW=95E485A0FD0CE8AA
If the file permissions are not secure enough runmqccred will produce this message:
Configuration file 'C:\Users\User1\.mqs\mqccred.ini' is not secure. Other users may be able to read it. No changes have been made to the file. Use the -p option for runmqccred to bypass this error.
You can bypass this issue with the -p flag but the exit will fail to run when put into production if you have not resolved this issue. When runmqccred runs successfully it will inform you how many passwords have been obfuscated.
File 'C:\Users\User1\.mqs\mqccred.in' processed successfully. Plaintext passwords found: 3
If you add new passwords or update old ones the tool will only process any plain text passwords leaving your obfuscated ones untouched.
Putting it into practice
Once you have this file all set up you can invoke the channel exit by updating your CLNTCONN channel definition to have the SCYEXIT('mqccred(ChlExit)') attribute.
This can also be used on all client applications from before MQ V8.